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(54) Method for managing security for card type storage medium and a card type storage 
medium 



(57) An apparatus and method for managing securi- 
ty of an IC card such as a cashless payment card, an ID 
card, a medical health management card, a local gov- 
ernment service card, etc. in each transaction with an 
object to improve a level of the security. The permissible 
number of accesses to a data file (32c) in each transac- 
tion is beforehand set. When a transaction is started be- 
tween a card-type storage medium (1 A) and a transac- 
tion apparatus, the number of accesses to the data file 
after the start of the transaction is counted and the count- 
ed number of accesses is compared with the permissible 
number of accesses. If the number of accesses exceeds 
the permissible number of accesses, it is judged that an 
error has occurred so as to interrupt the transaction. 
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Description 

BACKGROUND OF THE INVENTION 

1 ) Field of the Invention 

The present invention is applicable to a card-type 
storage mediunn such as an IC card used as a cashless 
payment card, an ID card, a medical health management 
card, a local government service card, etc. More specif- 
ically, the present invention relates to a method for man- 
aging and strengthening security at the time of file ac- 
cess to such card-type storage medium, and a card-type 
storage medium and a transaction apparatus therefore 
realizing said method. 

As represented by forgery of prepayment cards such 
as telephone cards, crimes of forgery of cards and fab- 
rication of data in cards tend to increase in recent years. 
Therefore, there is a requirement on a more sophisticat- 
ed and more complex security function to a system using 
such card therein. 

Particularly, the card-type storage medium such as 
an IC card, which will spread more widely in the future, 
keeps therein data more than hundred times those kept 
in a magnetic card. To prevent leak of information, or for- 
gery or fabrication of the information, consideration on 
the security of the system using such card-type storage 
medium is very important. 

2) Description of the Related Art 

As shown in FIGS. 14 and 15, an IC card (a 
card-type storage medium) 1 00 has, in general, a micro- 
processor unit (MPU) 101 and a storage (file area, for 
example, an EPROM or an EEPROM) 102, and is con- 
nected to a transaction apparatus (an external appara- 
tus) not shown via a terminal unit 103. 

The storage 102 has a data area in which data files 
are kept and a directory area in which control information 
(pointers, etc.) for the data files in the data area. The 
MPU 101 manages the data files in the data area in the 
storage 1 02 on the basis of the control information in the 
directory area. 

For instance, when receiving an access command 
from the external transaction apparatus via the terminal 
unit 103, the MPU 101 performs a reading process (a 
read access), a writing process (a write access), an eras- 
ing process (an erase access), a rewriting process (a re- 
write access) or the like, on the storage 102 in response 
to the access command. 

■ The MPU 101 has a RAM 101 B used as a work area 
upon a control operation along with a ROM 1 0 1 A keeping 
a program for the control operation therein. In the case 
of the IC card 100 of an ISO type, the terminal unit 103 
is provided with eight contacts (VCC, RST CLS, RFU, 
GND, VPR I/O and RFU). 

In such the IC card 100, the storage 102 keeps data 
more than 100 times those kept in a magnetic card. To 



prevent leakage, forgery and fabrication of the data kept 
in the storage, there are generally set an access capa- 
bility (a capability for access) and an access right corre- 
sponding to the access capability to carry out a security 
s check. 

For instance, the storage 102 in the IC card 100 
keeps in advance an access capability and an access 
right as fundamental information for security. The access 
capability is to verify a capability of a person such as a 

10 card issuer a card holder, an application provider, a serv- 
ice executor, a service provider and the like, who issues 
a command to the IC card 100. The access right (read 
right, write right, etc.) is set correspondingly to the 
above-mentioned access capability for each file kept in 

15 the storage 102, which defines an access process that 
a person having an access capability for each data file 
can perform. 

As shown in FIG. 16, when a data file stored in the 
storage 102 of the IC card 100 is accessed from the ex- 

20 ternal transaction apparatus (an application A) 11 0, a se- 
lect command is issued to select and determine a data 
file that is an object of the access among the data files 
stored in the storage 1 02 in the IC card 1 00, a verify com- 
mand is then issued to authenticate an access capability 

25 to get an access to that data file. This authentication 
process is performed on the basis of an authentication 
code sent from the transaction apparatus 1 1 0. After that, 
when receiving an access command (read record or 
write record) from the transaction apparatus 110, the IC 

30 card 100 verifies whether the access command is of an 
access type (read, write or the like) which has been per- 
mitted beforehand as an access right corresponding to 
the authenticated access capability. 

The security check with the access capability and 

35 the access right as stated above will be next described 
in more detail referring to FIG. 17. Assuming that "OK", 
"OK", "NG" and "NG" are set to a sen/ice provider, a card 
issuer, a service executor and a card holder, respective- 
ly, as a read right (an access right) for a data file stored 

"^0 in a storage 102 of an IC card, as shown in FIG. 17. In 
other words, the service provider and the card issuer can 
perform a reading process on that data file. 

Under such circumstances where the read right is 
set, if an application operable with an access capability 

^5 of the service provider issues a read command (READ) 
as shown in FIG. 1 7, the IC card permits the read access 
to a data file since "OK" is set to the access right in terms 
of READ of the service provider for that data file in the 
IC card 100. 

50 On the other hand, when an application operable 
with an access capability of the service executor issues 
a read command, the IC card 1 00 rejects the read access 
to a data file since "NG" is set to the access right in terms 
of READ of the service executor for that data file in the 

55 IC card 100. 

As stated above, the security at the time of access 
to a data file stored in a conventional IC card (a card-type 
storage medium) is ensured with two points, that is, the 
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access capability and the access right. However, if infor- 
mation about a relation between the access capability 
and the access right leaks outside, an unrightful applica- 
tion can easily access to data files in an IC card. For this, 
there is a requirement to improve a security function 
upon accessing files in the IC card in order to prevent an 
access from an unrightful application if the information 
about the relation between the access capability and the 
access right leaks outside, or if another person unright- 
fully obtains the information about the access capability 
and the access right. 

In a typical IC card system, a transaction is done be- 
tween the IC card and the application in one-by-one cor- 
respondence. With an increase of more diversified, so- 
phisticated needs of the users, there appears a system 
operable in a mode where a plurality of applications can 
simultaneously use the same one IC card. In such sys- 
tem, the security function attached to the present IC card 
is insufficient. Such the system requires a security func- 
tion which can manage applications in an IC card, where 
simultaneous accesses from a plurality of applications 
should be taken into consideration. 

As described by reference to FIG. 1 6.. in the conven- 
tional command process based on an assumption that 
each command is issued from the same application (the 
application A in FIG. 16), a security check is made with 
only the access capability and the access right. It is 
therefore impossible to specify an application that has 
issued the command. 

In a system in which a plurality of applications are 
simultaneously accessible to the same one IC card, if, 
after an application has issued a select command and a 
verify command to select and determine a data file that 
is an object of the access and has authenticated the ac- 
cess capacity a different application B issues an access 
command to that data file, the IC card 100 accepts the 
access command from the application B since the IC 
card 100 mistakenly takes that access command is taken 
as an access command issued from the same applica- 
tion in the conventional command process. As a result, 
the application B can get an unrightful access to that data 
file. 

Problems on the security function of the convention- 
al IC card are summarized as follows: 

(a) If an unrightful application gets unrightfully secu- 
rity information (an access capability, an access 
right), the present security function allows an 
unrightful access to a data file: 

(b) In a system in which a plurality of applications 
are simultaneously accessible to the same one IC 
card, if, after a data file that is an object of an access 
has been determined, a different application tries to 
get an access to that data file, the system allows that 
unrightful access. 



SUMMARY OF THE INVENTION 

An object of this invention is to provide a method for 
managing security for a card-type storage medium, and 
5 a card-type storage medium and a transaction apparatus 
therefor, in which security management in each transac- 
tion is realized to improve a level of the security at the 
time of a file access, and it is possible to specify an ap- 
plication issuing a command so as to prevent accesses 

10 to the same one data file from different applications. 

This invention therefore provides a method for man- 
aging security for a card-type storage medium having a 
storage unit keeping a data file therein, comprising the 
steps of setting the permissible number of access in one 

'5 transaction for said data file, counting the number of ac- 
cesses to said data file after a start of a transaction when 
said transaction is started between said card-type stor- 
age medium and a transaction apparatus accessing to 
said card-type storage medium to execute said transac- 

20 tion, comparing the number of accesses counted with 
said permissible number of accesses set beforehand, 
judging that an error has occurred if said number of ac- 
cesses exceeds said permissible number of accesses, 
and interrupting said transaction. 

25 This invention also provides a method for managing 

security for a card-type storage medium having a storage 
unit keeping a data file therein comprising the steps of 
setting beforehand a permissible access period to said 
data file in one transaction, measuring an access period 

^0 to said data file after a start of a transaction when said 
transaction is started with between said card-type stor- 
age medium and a transaction apparatus accessing to 
said card-type storage medium to execute said transac- 
tion therewith, comparing the access period measured 

3S with said permissible access period set beforehand, 
judging that an error has occurred if said access period 
exceeds said permissible access period, and interrupt- 
ing said transaction. 

This invention also provides a method for managing 

^0 security for a card-type storage medium having a storage 
unit keeping data files therein comprising the steps of 
setting beforehand the permissible number of accesses 
and a permissible access period for said data file in one 
transaction, counting the number of accesses and meas- 

45 uring an access period to said data file after a start of a 
transaction when said transaction is started between 
said card-type storage medium and a transaction appa- 
ratus accessing to said card-type storage medium to ex- 
ecute the transaction, comparing the number of access- 

50 es counted with said permissible number of accesses set 
beforehand and comparing the access period measured 
with said permissible access period, judging that an error 
has occurred if said number of accesses exceeds said 
permissible number of accesses or if said access period 

55 exceeds said permissible access period, and interrupt- 
ing said transaction. 

A card-type storage medium according to this inven- 
tion having a storage unit having a data area keeping a 
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data file therein and a directory area keeping control in- 
formation about the data file in said data area therein and 
a control unit managing the data file in said data area in 
said storage unit on the basis of the control information 
in said directory area in said storage unit, in which said 
directory area in said storage unit is set beforehand the 
permissible number of errors for said data file in one 
transaction, said control unit comprising a counting 
means counting the number of accesses to said data file 
after a start of a transaction when said transaction is 
started with an external apparatus, a comparing means 
comparing the number of accesses counted by said 
counting means with said permissible number of access- 
es set beforehand in said directory area in said storage 
unit, and an error judging unit judging that en error has 
occurred if said number of accesses exceeds said per- 
missible number of accesses as a result of comparison 
by said comparing means, and interrupting said transac- 
tion. 

Alternatively, a card-type storage medium according 
to this invention having a storage unit having a data area 
keeping a data file therein and a directory area keeping 
control information about the data file in said data area 
therein and a control unit managing the data file in said 
data area in said storage unit on the basis of the control 
information in said directory area in said storage unit, in 
which said directory area in said storage unit is before- 
hand set a permissible access period for said data file in 
each transaction, said control unit comprising a timer 
means measuring an access period to said data file after 
a transaction of a transaction when said transaction is 
started with an external apparatus, a comparing means 
comparing the access period measured by said timer 
means with said permissible access period set before- 
hand in said directory area in said storage unit, and an 
error judging means judging that an error has occurred 
if said access period exceeds said permissible access 
period as a result of comparison by said comparing 
means, and interrupting said transaction. 

Alternatively, a card-type storage medium according 
to this invention having a storage unit having a data area 
keeping a data file therein and a directory area keeping 
control information about the data file in said data area 
therein and a control unit managing the data file in said 
data area in said storage unit on the basis of the control 
information in said directory area in said storage unit, in 
which said directory area in said storage unit is before- 
hand set the permissible number of accesses and a per- 
missible access period for said data file in each transac- 
tion, said control unit comprising a counting means 
counting the number of accesses to said data file after a 
start of a transaction when said transaction is started with 
an external apparatus, a timer means measuring an ac- 
cess period to said data file after the start of said trans- 
action, a first comparing means comparing the number 
of accesses counted by said counting means with said 
permissible number of accesses set beforehand in said 
directory area in said storage unit, a second comparing 



means comparing the access period measured by said 
timer means with said permissible access period set be- 
forehand in said directory area in said storage unit, and 
an error judging means judging that an error has oc- 

5 curred f said number of accesses exceeds said permis- 
sible number of accesses as a result of comparison by 
said first comparing means or if said access period ex- 
ceeds said permissible access period as a result of com- 
parison by said second comparing means, and interrupt- 

10 ing said transaction. 

In a method for managing security for a card-type 
storage medium and a card-type storage medium ac- 
cording to this invention, by checking either the number 
of accesses or an access time in each transaction = if ac- 

75 cesses of the number more than necessary have got to 
the card-type storage medium or if an access for a period 
longer than necessary is being had to the card-type stor- 
age medium, it is possible to interrupt the transaction. 
This makes it possible to prevent, with certainty, unright- 

20 ful accesses to the card-type storage medium from the 
outside and to improve largely a level of the security at 
the time of a file access. 

This invention also provide a method for managing 
security of a card-type storage medium having a storage 

25 unit keeping a data file therein comprising the steps of 
generating a unique identifier for a transaction in said 
card-type storage medium when the transaction is start- 
ed between said card-type storage medium and a trans- 
action apparatus accessing to said card-type storage 

30 medium to execute the transaction therewith and the 
data file that is an object of an access of said transaction 
apparatus is determined, notifying said unique identifier 
to aid transaction apparatus, giving said unique identifier 
to an access command of said transaction apparatus to 

25 said card-type storage medium until an end of said trans- 
action, and comparing said unique identifier given to the 
access command from said transaction apparatus with 
another unique identifier generated for said transaction 
in said card-type storage medium, performing a process 

40 according to the access command from said transaction 
apparatus if these unique identifiers are in agreement. 

In a card-type storage medium according to this in- 
vention having a storage unit having a data area keeping 
a data file therein and a directory area keeping control 

45 information about the data file in said data area therein 
and a control unit managing the data file in said data area 
in said storage unit on the basis of the control information 
in said directory area in said storage unit, in which said 
control unit comprising a unique identifier generating 

50 means generating a unique identifier for a transaction 
when the transaction is started with an external appara- 
tus and the data file that is an object of an access from 
said external apparatus is determined, a unique identifier 
notifying means notifying the unique identifier generated 

55 by said unique identifier generating unit to said external 
apparatus, a first comparing means comparing a unique 
identifier given to an access command from said external 
apparatus with the unique identifier generated by said 
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unique identifier generating means for said transaction, 
and a first judging means judging that the access com- 
mand from said external apparatus is for said transaction 
if these unique identifiers are found to be in agreement 
as a result of comparison by said first comparing means 
and performing a process according to the access com- 
mand from said external apparatus. 

This invention also provide a transaction apparatus 
for a card-type storage medium, which accesses to said 
card-type storage medium having a storage unit keeping 
a data file therein to execute a transaction therebetween 
comprising a notifying means notifying an access com- 
mand given to a unique identifier thereto until an end of 
a transaction, when the data file that is an object of the 
access is determined in said card-type storage medium 
and said transaction apparatus is informed of said 
unique identifier fro said transaction from said card-type 
storage medium. 

In a method for managing security of a card-type 
storage medium, a card-type storage medium and a 
transaction apparatus therefor according to this inven- 
tion, a unique identifier for a transaction is any time given 
to an access command issued from a transaction appa- 
ratus during said transaction, thereby specifying a trans- 
action apparatus accessing to said card-type storage 
medium by referring to said unique identifier so as to pre- 
vent, with certainty, an access from different applications 
to the same data file and improve largely a level of the 
security. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIGS. 1 through 4 are block diagrams showing 
aspects of this invention; 

FIG. 5 is a block diagram of a card-type storage 
medium according to a first embodiment of this 
invention; 



age medium according to the first embodiment; 

FIG. 11 is a block diagram of a card-type storage 
medium and a transaction apparatus according to a 
5 second embodiment of this invention: 

FIG. 12 is a flowchart showing operations of the 
card-type storage medium and the transaction 
apparatus according to the second embodiment; 

10 

FIG. 13 is an illustration showing signal sequences 
between the card-type storage medium and the 
transaction apparatus according to the second 
embodiment in order to illustrate more concretely 
'5 the operations of the card-type storage medium and 
the transaction apparatus; 

FIG. 14 is a plan view showing an appearance of a 
typical IC card: 

20 

FIG. 15 is a block diagram showing a hardwear 
structure of a typical IC card: 

FIG. 16 is an illustration for illustrating a file access 
25 procedure to a conventional IC card; 

FIG. 17 is an illustration for illustrating a concept of 
security when a file in a conventional IC card is 
accessed; and 

30 

FIG. 18 is an illustration showing an unrightful 
access that may occur when a file in a conventional 
IC card is accessed. 

35 DESCRIPTION OF THE PREFERRED EMBODIIVIENT 

(a) Description of Aspects of the Invention 

FIG. 1 is a block diagram showing an aspect of this 
invention. A card-type storage medium 1 A shown in FIG. 
1 has a storage unit 2A and a control unit 3A. The storage 
unit 2A includes a data area in which data files are kept 
and a directory area in which control information for the 
data files in the data area is kept. The control unit 3A 
manages the data files in the data area in the storage 
unit 2A on the basis of the control information kept in the 
directory area in the storage unit 2A. 

According to this invention, the permissible number 
of accesses in one transaction for each data file is set 
beforehand in the directory area in the storage unit 2A. 
The control unit 3A further has a counting means 4A, a 
comparing means 5A and an error judging means 6A to 
make a check on the number of accesses having been 
gained in each transaction. 

When a transaction is started between the card-type 
storage medium 1 A and an external apparatus (a trans- 
action apparatus) not shown, the counting means 4A 
counts the number of accesses to a data file after the 



FIG. 6 is an illustration for illustrating security addi- 40 
tional information according to the first embodiment; 

FIG. 7 is an illustration for illustrating a logical struc- 
ture of a storage unit and security information 
according to the first embodiment; ^5 

FIG. 8 is an illustration for illustrating an operation 
of the card-type storage medium according to the 
first embodiment: 

50 

FIG. 9 is a flowchart showing an operation of the 
card-type storage medium according to the first 
embodiment; 

FIGS. 10(A) and 10(8) are illustrations showing a 55 
command sequence between the card-type storage 
medium and an upper apparatus in order to illustrate 
more concretely the operation of the card-type stor- 
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start of the transaction. The comparing means (a first 
comparing means) 5A compares the number of access- 
es counted by the counting means 4A with the permis- 
sible number of accesses having been set in the direc- 
tory area in the storage unit 2A. If the number of access- 
es exceeds the permissible number of accesses as a re- 
sult of comparison by the comparing means 5A, the error 
judging means 6A judges that an error has occurred, and 
interrupts the transaction. 

FIG. 2 is a block diagram showing another aspect of 
this invention. A card-type storage medium 1 B shown in 
FIG. 2 has a storage unit 2B and a control unit 38, each 
of which has a function similar to that in FIG. 1. In this 
aspect, a permissible access period of an access to a 
data file in one transaction is set beforehand in a direc- 
tory area in the storage unit 28. The control unit 38 has 
a timer means 48, comparing means 58 and an error 
judging means 68 to make a check on an access period 
in each transaction instead of the number of accesses. 

When a transaction is started between the card-type 
storage medium 1 8 and an external apparatus (a trans- 
action apparatus) not shown, the timer means 48 meas- 
ures an access period of an access to a data file after 
the start of the transaction. The comparing means (a sec- 
ond comparing means) 58 compares the access period 
measured by the timer means 48 with the permissible 
access period having been set in the directory area in 
the storage unit 28. If the access period exceeds the per- 
missible access period, the error judging means 68 judg- 
es that an error has occurred, and interrupts the trans- 
action. 

FIG. 3 is a block diagram showing still another as- 
pect of this invention. A card-type storage medium 1C 
shown in FIG. 3 also has a storage unit 2C and a control 
unit 3C each of which are similar to that shown in FIG. 
1 . In this aspect, the permissible number of accesses 
and a permissible access period in one transaction for 
each data file are set beforehand in a directory area in 
the storage unit 2C. The control unit 3G has a counting 
means 4A, a timer means 48, a first comparing means 
5A and a second comparing means 58 each having a 
function similar to the above-described. An error judging 
means 6C is also provided in the control unit 30 to make 
a check on both of the number of accesses and an ac- 
cess period in each transaction. 

If the number of accesses exceeds the permissible 
number of accesses as a result of comparison by the first 
comparing means 5A, or if the access period exceeds 
the permissible access period as a result of comparison 
by the second comparing means 58, the error judging 
means 60 judges that an error has occurred, and inter- 
rupts the transaction. 

If a plurality of data files are kept in the storage unit 
2A or 20, the permissible number of accesses for each 
data file may be set beforehand in the directory area in 
the storage unit 2A or 20 and the timer means 4A may 
count the number of accesses to each data file. Alterna- 
tively, the permissible number of accesses each type of 



access to a data file may be set beforehand in the direc- 
tory area in the storage unit 2A or 20 and the counting 
means 4A may count the number of accesses for each 
type of the access. 
5 It is possible to provide an error notifying means in 

the control units 3A, 38 or 30 to notify an error to the 
external apparatus if the error judging means 6A, 68 or 
60 judges that an error has occurred. 

It is also possible to provide in the control unit 3A, 
10 38 or 30 an accumulating means which accumulates the 
number of errors, an error occurrence number compar- 
ing means which compares the number of errors ob- 
tained as a result of accumulation by the accumulating 
means with a permissible number of errors having been 
'5 set in the directory area in the storage unit 2A, 28 or 20, 
and an inactivating means which switches a state of the 
card-type storage medium into an inactive state if the 
number of errors exceeds the permissible number of er- 
rors as a result of comparison by the error number corn- 
ed paring means. If the number of errors exceeds the per- 
missible number of errors as a result of comparison by 
the error number comparing means, the error notifying 
means may notify an error to the external apparatus. 
When a transaction is started between the 
25 above-mentioned card-type storage medium 1 A accord- 
ing to this invention shown in FIG. 1 and a transaction 
apparatus (an external apparatus), the counting means 
4A counts the number of accesses to a data file from the 
transaction apparatus and the comparing means 5A 
30 compares the number of accesses with the permissible 
number of accesses having been set after the start of the 
transaction. 

if the number of the accesses exceeds the permis- 
sible number of accesses as a result of comparison by 

35 the comparing means 5A, the error judging means 6A 
judges that an error has occurred, and the transaction is 
interrupted. Namely, by making a check on the number 
of accesses in one transaction, it is possible to interrupt 
the transaction if it is judged that accesses of the number 

40 more than necessary have been got to the card-type 
storage medium 1A. 

In the above-mentioned card-type storage medium 
1 B according to this invention shown in FIG. 2, a check 
is made on an access period instead of the number of 

45 accesses. When a transaction between the card-type 
storage medium 1 B and a transaction apparatus (an ex- 
ternal apparatus) is started, the timer means 48 meas- 
ures an access period of an access to a data file from 
the transaction apparatus and the comparing means 58 

50 compares the access period with the perm issible access 
period having been set, after the start of the transaction. 

If the access period exceeds the permissible access 
period as a result of comparison by the comparing 
means 58, the error judging means 68 judges that an 

55 error has occurred, the transaction is then interrupted. 
Namely, by making a check on an access period in each 
transaction, it is possible to interrupt the transaction if it 
is judged that the transaction is being done with the 
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card-type storage medium 1 B for a period longer than 
necessary. 

In the above-mentioned card-type storage medium 
1C according to this invention shown in FIG. 3= a check 
in made on both the number of accesses and an access 
period. When a transaction is started between the 
card-type storage medium 1 C and a transaction appara- 
tus (an external apparatus), the counting means 4A 
counts the number of accesses to a data file from the 
transaction apparatus and the timer means 4B measures 
a period of access to the data file from the transaction 
apparatus, after the start of the transaction. 

The first comparing means 5A compares the 
number of accesses with the permissible number of ac- 
cesses having been set, while the second comparing 
means 58 compares an access period with the permis- 
sible access period having been set. If the number of ac- 
cesses exceeds the permissible number of accesses as 
a result of comparison by the first comparing means, or 
if the access period exceeds the permissible access pe- 
riod as a result of comparison by the second comparing 
means, the error judging means 6C judges that an error 
has occurred and interrupts the transaction. 

Namely by checking the number of accesses and 
ah access period in each transaction, either if it is judged 
that accesses of the number more than necessary have 
been got to the card-type storage medium 1C, or if it is 
judged that a transaction for a period longer than neces- 
sary is being done with the card-type storage medium 
1C, it is possible to interrupt the transaction. 

If a plurality of data files are kept in the storage unit 
2A or 2C: the permissible number of accesses for each 
data file is set beforehand and the number of accesses 
is counted for each data file, thereby checking the 
number of accesses for each data file. The permissible 
number of accesses for each type of access is set before 
hand and the number of accesses is counted for each 
type of access, thereby checking the number of access 
for each type of access. 

If it is judged that an error has occurred, the error is 
notified to the transaction apparatus (the external appa- 
ratus). As this, it is possible to notify occurrence of error 
to the transaction apparatus (the external apparatus) 
which has accessed to the card-type storage medium 
1 A, IB or 1C. The transaction apparatus having been 
informed of the occurrence of error may display an error 
or perform another process similar to that. 

Further the accumulated number of errors is com- 
pared with the permissible number of errors. If the 
number of errors exceeds the permissible number of er- 
rors, the card-type storage medium is inactivated 
(locked). By checking the number of errors, it becomes 
possible to inactivate a card-type storage medium in 
which errors of the excessive number have occurred so 
as to make the card-type storage medium reject any ac- 
cess from the outside. 

By notifying an error to the transaction apparatus 
(the external apparatus) if the number of errors exceeds 



the permissible number of errors, it is possible to inform 
the transaction apparatus (the external apparatus) which 
have accessed to the card-type storage medium 1 A, 1 B 
or 1 C of an inactivated state of the card-type storage me- 
s dium 1 A, 1 B or 1 C so that the transaction apparatus may 
display an error or perform another process similar to 
that. 

According to the security managing method for a 
card-type storage medium and the card-type storage 

10 medium according to this invention shown in FIGS. 1 
through 3, at least either the number of accesses or an 
access period in each transaction is checked. If access- 
es of the number more than necessary have been got to 
the card-type storage medium 1 A, 1 B or 1 C, or if a trans- 

?5 action is being done with the card-type storage medium 
1 A, 1 B or 1 C for a period longer than necessary it is pos- 
sible to interrupt the transaction so that the security at 
the time of a file access may largely strengthened. 

A check on the number of accesses for each data 

20 file or for each type of access may realize a security man- 
agement for each data file or for each type of access. 

If the number of error exceeds the permissible 
number of accesses, the card-type storage medium 1 A, 
1 B or 1 C is made inactive. In consequence, it is possible 

25 to make the card-type storage medium 1 A, 1 B or 1 C in 
which errors of the excessive number refuse any access 
from the outside, thereby improving the security function. 

If an error is found by a check on the number of ac- 
cesses or on an access period, or if the card-type storage 

30 medium 1 A, IB or 1C is inactivated, the error is notified 
to the transaction apparatus. The transaction apparatus 
which have accessed to the card-type storage medium 
1 A, 1 B or 1 C may display an error or perform a process 
similar to that so as to immediately deal with the error. 

35 FIG. 4 is a block diagram showing still another as- 
pect of this invention. In FIG. 4, reference numeral 11 
denotes a card-type storage medium. The card-type 
storage medium 1 1 also has a storage unit 1 2 and a con- 
trol unit 1 3 each having the function similar to that shown 

^0 in FIG. 1. Reference numeral 21 denotes a transaction 
apparatus which accesses to the card-type storage me- 
dium 11 to do a transaction therewith. 

According to this invention, the control unit 1 3 of the 
card-type storage medium 11 is provided with a unique 

■^5 identifier generating means 14, a unique identifier noti- 
fying means 15, a first comparing means 16 and a first 
judging means 17. 

The unique identifier generating means 14 gener- 
ates an unique identifier for a transaction when the trans- 

50 action is started with the transaction apparatus (an ex- 
ternal apparatus) and a data file that is an object of an 
access from the transaction apparatus 21 is determined. 
The unique identifier notifying means 15 notifies the 
unique identifier generated by the unique identifier gen- 

5S erating means 14 to the transaction apparatus 21 . 

The first comparing means 16 compares a unique 
identifier given to an access command issued by the 
transaction apparatus 21 with the unique identifier gen- 
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erated for this transaction by the unique identifier gener- 
ating means 14. The first judging means 17 judges that 
the access command fed from the transaction apparatus 
21 is for this transaction if these unique identifiers are 
found to be in agreement by the first comparing means 
16, and performs a process according to the access 
command from the transaction apparatus. 

On the other hand, the transaction apparatus 21 has 
a notifying means 22. When a data file that is an object 
of an access is determined in the card-type storage me- 
dium 11 and a unique identifier for a transaction is in- 
formed from the card-type storage medium 11, the noti- 
fying means 22 notifies an access command given a 
unique identifier thereto to the card-type storage medium 
11 until the end of the transaction. 

The control unit 1 3 of the card-type storage medium 
11 may also have an enciphering means enciphering a 
unique identifier generated for a transaction by the 
unique identifier generating means 14 with the first en- 
cipherment key. The unique identifier notifying means 1 5 
may then notify a ciphertext unique identifier obtained by 
enciphering the unique identifier by the enciphering 
means to the transaction apparatus 21 . In this case, the 
transaction apparatus 21 has a deciphering means de- 
ciphering the ciphertext unique identifier with the first en- 
cipherment key. 

The unique identifier notifying means 15 may notify 
a plaintext unique identifier before the encipherment 
along with the ciphertext unique identifier obtained by en- 
ciphering the unique identifier by the enciphering means 
to the transaction apparatus. In this case, the transaction 
apparatus 21 has a comparing means which compares 
a deciphered unique identifier obtained in decipherment 
by the deciphering means with the plaintext unique iden- 
tifier supplied from the card-type storage medium 1 1 , and 
a judging means which judges that the card-type storage 
medium 11 is rightful if the unique identifiers are found 
to be in agreement with each other as a result of com- 
parison by the comparing means and proceeds the ac- 
cess process on the card-type storage medium. 

The transaction apparatus 21 may further has an en- 
ciphering means which enciphers a unique identifier fed 
from the card-type storage medium 1 1 with a second en- 
cipherment key. The notifying means 22 may give a ci- 
phertext unique identifier obtained by enciphering the 
unique identifier in the enciphering means to an access 
command, and notifies it to the card-type storage medi- 
um 11. In this case, the control unit 13 of the card-type 
storage medium 11 has a deciphering means decipher- 
ing the ciphertext unique identifier with the second enci- 
pherment key. The first comparing means 16 compares 
a deciphered text unique identifier obtained by decipher- 
ing the ciphertext unique identifier with a unique identifier 
generated for this transaction by the unique identifier 
generating means. 

The notifying means 22 in the transaction apparatus 
21 may notify a plaintext unique identifier along with the 
ciphertext unique identifier obtained by enciphering the 



unique identifier by the enciphering means to the 
card-type storage medium 11. In this case, the control 
unit 13 of the card-type storage medium 11 further has 
a second comparing means which compares a deci- 

5 phered text unique identifier obtained in decipherment 
by the deciphering means with the plaintext unique iden- 
tifier supplied from the external apparatus, and a second 
judging means which judges that an access command 
supplied from the transaction apparatus 21 is rightful if 

10 these unique identifiers are found to be in agreement 
with each other as a result of comparison by the second 
comparing means, and proceeds the process. 

The control unit 1 3 of the card-type storage medium 
11 may further has an error notifying means which noti- 

15 fies an error as a response to an access command from 
the transaction apparatus 21 if the unique identifiers are 
found to be in disagreement as a result of comparison 
by the first comparing means 15 or the second compar- 
ing means. 

20 In the above-mentioned card-type storage medium 
1 1 and transaction apparatus 21 according to this inven- 
tion shown in FIG. 4, when a transaction is started be- 
tween the card-type storage medium 11 and the trans- 
action apparatus 21 and a data file that is an object of 

^5 an access from the transaction apparatus 21 is deter- 
mined, the unique identifier generating means 14 of the 
card-type storage medium 11 generates a unique iden- 
tifier for this transaction, and the unique identifier notify- 
ing means 15 notifies the unique identifier to the trans- 

30 action apparatus 21 . 

The notifying means 22 in the transaction apparatus 
21 having informed of that unique identifier notifies an 
access command in a state where that unique identifier 
is given thereto to the card-type storage medium until the 

35 end of the transaction. 

On the side of the card-type storage medium 1 1 , the 
first comparing means 1 6 compares the unique identifier 
given to the access command fed from the transaction 
apparatus with an unique identifier generated for this 

40 transaction. The first judging means 17 judges that the 
access command from the transaction apparatus 21 is 
for this transaction if these unique identifiers are found 
to be in agreement with each other as a result of com- 
parison by the first comparing means 16= and performs 

45 a process according to the access command fed from 
the transaction apparatus 21 . 

The unique identifier generated when the data file is 
, determined can be known to only the transaction appa- 
ratus having performed the data file determining proc- 

50 ess. In addition, the unique identifier is given to the ac- 
cess command fed from the transaction apparatus 21 
any time during one transaction. Accordingly, it is possi- 
ble to specify the transaction apparatus 21 having ac- 
cessed to the card-type storage medium 11 by referring 

55 to that unique identifier. 

The unique identifier is first enciphered with the first 
encipherment key, the unique identifier notifying means 
15 then notifies the ciphertext unique identifier to the 
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transaction apparatus 21 . On the side of the transaction 
apparatus 21= the ciphertext unique identifier fed from 
the card-type storage nnedlunn 11 is deciphered with the 
first encipherment key. This manner is effective to pre- 
vent the unique identifier from leaking as it is while the 
unique identifier is being informed from the card-type 
storage medium 11 to the transaction apparatus 21. In 
addition, it is possible to inhibit an access to the card-type 
storage medium 11 from another apparatus excepting 
the transaction apparatus that has the first encipherment 
key identical to that of the card-type storage medium 11 
until the end of the transaction. 

The card-type storage medium 1 1 notifies a plaintext 
unique identifier before the encipherment along with a 
ciphertext unique identifier enciphered with the first en- 
cipherment key to the transaction apparatus 21 . The 
transaction apparatus 21 deciphers the ciphertext 
unique identifier fed from the card-type storage medium 
IT and compares a deciphered unique identified ob- 
tained by deciphering the ciphertext unique identifier with 
the plaintext unique identifier to judge whether the 
card-type storage medium 1 1 having informed the trans- 
action apparatus of the unique identifier is rightful or not. 
Only if these unique identifiers are in agreement with 
each other, the transaction apparatus 21 is allowed to 
proceed an access process on the card-type storage me- 
dium 11. 

On the side of the transaction apparatus 2T the 
unique identifier fed from the card-type storage medium 
1 1 is enciphered with the second encipherment key, then 
a ciphertext unique identifier obtained by enciphering the 
unique identifier is given to an access command issued 
from the transaction apparatus 21 to the card-type stor- 
age medium 1 1 . On the side of the card-type storage me- 
dium 11, the ciphertext unique identifier fed from the 
transaction apparatus 21 is deciphered with the second 
encipherment key, and the deciphered text unique iden- 
tifier obtained by deciphering the ciphertext unique iden- 
tifier is compared with a unique identifier generated for 
this transaction. This manner is effective to prevent the 
unique identifier from leaking as it is while the unique 
identifier is being notified from the transaction apparatus 
21 to the card-type storage medium 1 1 , and to inhibit an 
access to the card-type storage medium 11 from another 
apparatus excepting the transaction apparatus 21 that 
has the second encipherment key identical to that of the 
card-type storage medium 11 . 

Next, the transaction apparatus 21 notifies a plain- 
text unique identifier before the encipherment along with 
the ciphertext unique identifier having been enciphered 
with the second encipherment key to the card-type stor- 
age medium 11. The card-type storage medium 11 deci- 
phers the ciphertext unique identifier with the second en- 
cipherment key, and compares a deciphered text unique 
identifier obtained in decipherment with the plaintext 
unique identifier fed from the transaction apparatus 21 
to judge whether an access command fed from the trans- 
action apparatus 21 having informed of the unique iden- 



tifier from the card-type storage medium 11 is rightful or 
not. Only if these unique identifiers are in agreement with 
each other the transaction apparatus 21 is permitted to 
proceed the access process on the card-type storage 

5 medium 11. 

At that time, if these unique identifiers are found to 
be in disagreement as a result of comparison made in 
the card-type storage medium 11, an error is notified as 
a response to the access command from the transaction 

10 apparatus 21 . Accordingly, the transaction apparatus 21 
that has accessed to the card-type storage medium 11 
may be informed of occurrence of error so as to display 
an error or perform another process similar to that. 

According to the above-mentioned card-type stor- 

is age medium 11 and the transaction apparatus 21 ac- 
cording to this invention shown in FIG. 4, a unique iden- 
tifier is given to an access command issued from the 
transaction apparatus 21 every time in each transaction. 
By referring to the identifier it is possible to specify the 

20 transaction apparatus 21 that has accessed to the 
card-type storage medium 11 , and to prevent accesses 
from different applications to one data file with certainty. 
This may largely improve the level of the security. 

In this occasion, by enciphering the unique identifier 

25 with the first encipherment key, then notifying the cipher- 
text unique identifier to the transaction apparatus 21, it 
is possible to prevent the unique identifier from leaking 
as it is. It is also possible to inhibit an access to the 
card-type storage medium 11 from another apparatus 

30 excepting the transaction apparatus 21 that has the first 
encipherment key thereby further improving the security 
function. 

By notifying the plaintext unique identifier along with 
the ciphertext unique identifier enciphered with the first 

35 encipherment key to the transaction apparatus 21 from 
the card-type storage medium, and, in the transaction 
apparatus 21 , comparing a plaintext unique identifier ob- 
tained in decipherment with the plaintext unique identifier 
fed from the card-type storage medium IT it is possible 

40 to judge whether the card-type storage medium 11 hav- 
ing notified the unique identifier to the transaction appa- 
ratus 21 is rightful or not, thereby further improving the 
security function. 

Further the transaction apparatus 21 gives the 

45 unique identifier enciphered with the second encipher- 
ment key to an access command and notifies it to the 
card-type storage medium 11, it is possible to prevent 
the unique identifier from leaking as it is, and to inhibit 
an access to the card-type storage medium 1 1 from an- 

50 other apparatus excepting the transaction apparatus that 
has the second encipherment key, thereby further im- 
proving the security function. 

Moreover, the transaction apparatus 21 notifies the 
plaintext unique identifier before the encipherment along 

55 with the ciphertext unique identifier enciphered with the 
second encipherment key to the card-type storage me- 
dium IT The card-type storage medium 11 then com- 
pares a plaintext unique identifier obtained any decipher- 
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ment with the plaintext unique identifier fed fronn the 
transaction apparatus to judge whether an access com- 
mand from the transaction apparatus 21 is rightful or not, 
thereby further improving the security function. 

At that time, if these unique identifiers are found to 
be in disagreement as a result of the comparison in the 
card-type storage medium 11 , an error is notified to the 
transaction apparatus 21 . The transaction apparatus 21 
having accessed to the card-type storage medium 11 
may display an error or perform another process similar 
to that so as to immediately deal with the error. 

(b) Description of First Embodiment 

F!G. 5 is a block diagram of a card-type storage me- 
dium according to a first embodiment of this invention. 
In FIG. 5, reference numeral 30 denotes an IC card (a 
card-type storage medium). The IC card 30 has a micro- 
processor unit (MRU) 31 as a control unit and a storage 
(a file area; an EPROM or an EEPROM, for example) 32 
as a storage unit. The IC card 30 is connected to an ex- 
ternal apparatus (an upper apparatus, a transaction ap- 
paratus or a terminal apparatus) not shown via the ter- 
minal unit (not shown in FIG. 5), which has been herein- 
before described by reference to FIGS. 14 and 15. 

The storage 32 includes a data area 32A in which a 
plurality of data files 32C are kept and a directory area 
32B in which control information (pointers, security basic 
information and security additional information which will 
be described later etc.) about each of the data files 32C 
in the data area 32 is kept. 

The MRU 31 manages each of the data files 32C in 
the data area 32A in the storage 32 on the basis of the 
control information in the directory area 32B. When re- 
ceiving an access command from the external appara- 
tus, the MRU 31 performs a read process (a read ac- 
cess), a write process (a write access), an erase process 
(an erase access), a rewrite process (a rewrite access) 
or the like on the data file 32C according to the access 
command. 

The MRU 31 has a ROM 33 which keeps a program 
therein to carry out the control operation and a RAM 34 
which is used as a work area when the control operation 
is carried out. The MRU 31 also has another functional 
elements as shown in FIG. 5, that is, a communication 
control unit 35, a command receiving-distributing unit 36, 
a command processing unit 37 and a file managing unit 
38. 

The communication control unit 35 receives a com- 
mand (i.e., receives a transmission block) supplied from 
the external apparatus, and sends a response (i.e., gen- 
erates and transmits a transmission block) from the IC 
card 30 to the external apparatus from which the com- 
mand is supplied. 

When the communication control unit 35 receives a 
command from the external apparatus, the command re- 
ceiving-distributing unit 36 receives the command and 
conducts distribution according to the command. 



The command processing unit 37 receives the com- 
mand which has distributed by the command receiv- 
ing-distributing unit 36 to perform a process according to 
the command. The structure and operation of the com- 
mand processing unit 37 will be described in more detail 
later. 

The file managing unit 38 is disposed between the 
command processing unit 37 and the storage 32, which 
converts a logical address into a physical address while 
refernng to the directory area 32B so as to function as 
an interface between the command processing unit 37 
and the storage 32. 

The command processing unit 37 has elements 
functioning as a parameter check unit 41 , a security ba- 
sic check unit 42, a security additional check unit 43 and 
a file accessing unit 44. 

The parameter check unit 41 checks various param- 
eters in a command supplied from the external appara- 
tus. The security basic check unit 42 conducts a security 
basic check on the basis of security basic information in 
the similar manner to the prior art, as will be described 
later, if the parameter check unit 41 finds no problem as 
a result of the check. 

If the basic security check unit 42 finds no problem 
as a result of the check, the security additional check unit 
43 conducts a security additional check on the basis of 
security additional information, as will be described later 
If the security additional check unit 43 finds no problem 
as a result of the check, the file accessing unit 44 ac- 
cesses to the storage 32 (i.e., a file access block process 
or a chaining block process) according to the access 
command supplied from the external apparatus. 

Incidentally, a logical structure of the storage 32 ac- 
cording to this embodiment is as shown in FIG. 7. Name- 
ly, the directory area 32B further includes a master direc- 
tory area 32D which manages all the data files 32C, and 
sub directory areas 32E each provided in each of the 
data files 32C, each of which manages a plurality of files 
32F in the data file 32C. 

In the master directory area 32D, there are stored a 
managing unit which manages the master directory area 
32D, pointers each of which shows an address of each 
of the data files 32C, security basic information (an ac- 
cess right for each access capability) about each of the 
data files 32C together with the pointer and the permis- 
sible number of errors as security additional information. 

In the sub directory area 32E in each of the data files 
32C, there are stored pointers each of which shows an 
address of the file 32F in each of the data files 32C. and 
security additional information about each of the files 32F 
together with the pointer 

As the security additional information contained in 
the sub directory area 32E, there are set the permissible 
number of accesses and a permissible transaction peri- 
od. For example, the number of accesses that is consid- 
ered to occur in one rightful transaction (dealing) is set 
for each type of access to the file 32F (for example, 
READ, WRITE, ERASE, REWRITE, etc.) and for each 
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authentication code (an access capability) as the permis- 
sible number of accesses, along with a period required 
to process one rightful transaction as a permissible 
transaction period (a permissible access period), as 
shown in FIGS. 6 and 7. 

On the other hand, the security basic information in 
the master directory area 32D is about the access capa- 
bility and the access right mentioned above. The access 
capability is to verify a capability of a person such as a 
card issuer a card holder, an application provider a serv- 
ice executor a service provider, etc. who issues an ac- 
cess command to the IC card 30 from the external ap- 
paratus (application). The access right (a read right, a 
write right, etc.) is set for each of the data files 32C re- 
tained in the storage 32 according to the above access 
capability, which defines an access process that a per- 
son having an access capability can perform on each of 
the data files 32C. Incidentally, there are an erase right, 
a rewrite right and the like, in addition to the read right 
and the write right. 

When receiving a verify command after selection 
and determination of a data file 32C (a file 32F) that is 
an object of an access from the external apparatus (refer 
to FIG. 16), the security basic check unit 42 authenti- 
cates the access capability to get an access to the data 
file 32C, as same as in the prior art. 

When receiving an access command (Read Record, 
Write Record or the like) after authentication of the ac- 
cess capability, the security basic check unit 42 verifies 
whether the access command is of a type of access 
(read, write, etc.) that is permitted as an access right set 
correspondingly to the authenticated access capability 
on the basis of the security basic information about that 
data file 32C in the master directory area 32D. 

If the security basic check unit 42 verifies the access 
command as being permitted as the access right corre- 
sponding to the authenticated access capability, the se- 
curity additional check unit 43 makes a security addition- 
al check on the basis of the security additional informa- 
tion about that data file 320 (the file 32E) in the master 
directory area 32D and the sub directory area 32E. 

The security additional check unit 43 according to 
this embodiment has an access number counter (count- 
ing means) 51 , a timer (timer means) 52, a first compar- 
ing means 53, a second comparing means 54, an error 
judging unit 55, an error notifying unit 56, an error 
number accumulative counter (an accumulating means) 
57, an error occurrence number comparing unit 58 and 
an inactivation directing unit (an inactivating means) 59. 

When a transaction with the external apparatus is 
started, the access number counter 51 counts the 
number of accesses after the start of the transaction for 
each file 32F that is an object of the access and for each 
type of access. An area to store a value of the count 
therein is ensured in the RAM 34 (the work area). The 
timer 52 measures a period of an access to the data fife 
32C (the file 32F) after the start of the transaction. 

The first comparing unit 53 compares the number of 



the accesses counted by the access number counter 51 
(which is read out from the counted value storing area in 
the RAM 34) with the permissible number of accesses 
set beforehand in the sub directory area 32E (which dif- 

5 fers depending on the file 32F, the access capability and 
the type of access). The second comparing unit 54 com- 
pares an access period measured by the timer 52 with 
a permissible access period set beforehand in the sub 
directory area 32E (which differs depending on the data 

70 file 32C). 

The error judging unit 55 judges that an error has 
occurred if the number of accesses exceeds the permis- 
sible number of accesses as a result of comparison by 
the first comparing unit 53, or if an access period ex- 

'5 ceeds the permissible access period as a result of the 
comparison by the second comparing unit 54, then inter- 
rupts the transaction. The error notifying unit 56 notifies 
the occurrence of error to the external apparatus, if the 
error judging unit 55 judges that an error has occurred. 

20 The error number accumulative counter 57 counts 
up the number of errors if the error judging unit 55 judges 
that an error has occurred. An area to store a value of 
the count therein is ensured in the RAM 34 (the work 
area). The error number comparing unit 58 compares the 

25 number of errors counted by the error number accumu- 
lative counter 57 (which has been read out from the 
counted value storing area in the RAM 34) with the per- 
missible number of errors set beforehand in the master 
directory area 32D. 

^0 The inactivation directing unit 59 outputs an inacti- 
vation directing signal in order to switch a state of the 
state of the IC card 30 into an inactive state if the number 
of errors exceeds the permissible number of errors as a 
result of the comparison by the error number comparing 

35 unit 58. 

In order to activate again the IC card 30 that has 
been inactivated, it is necessary to take a formal proce- 
dure. Until completion of the formal procedure, the IC 
card 30 does not accept any access from the outside. 

■io The error notifying unit 56 notifies occurrence of error to 
the external apparatus if the number of errors exceeds 
the permissible number of errors as a result of compar- 
ison by the error number comparing unit 58. 

As stated above, the security additional information, 

^5 in addition to the security basic information (the access 
capability, the access right) for each of the data files 32C 
(the file 32F), and stored in the directory area 32B in the 
storage 32B, according to this embodiment. The security 
additional information is calculated as the permissible 

50 number of accesses and a permissible transaction peri- 
od for each of the data files 32C (the file 32F) in a stage 
of design of the system employing the IC card 30, which 
security additional information is set in the directory area 
32B when the IC card 30 is issued. The security addi- 

55 tional information is conditions which are satisfied by 
only a formal application (a transaction apparatus). 

Setting of the security additional information into the 
IC card 30 is done with a creation command (a create 



11 



21 



EP 0 696 016 A2 



22 



command). By designating parameters, the creation 
command enables, in general, the data area 32A and the 
directory area 32B managing the data area 32A to be 
ensured in the storage 32 in the IC card 30, and the point- 
er used to get an access to each data file 32C (file 32F) 
and the security basic information (the access capability, 
the access right) to be set in the directory area 32B. 

According to this embodiment, there are additionally 
set the permissible numberof errors, a permissible trans- 
action period and the permissible number of accesses 
(Read, Write, etc.) for each authentication code (the ac- 
cess capability) as Items (parameters) of the security ad- 
ditional information. This security additional information 
is additionally set in the directory area 32B. 

The creation command according to this embodi- 
ment can ensure the area to store the counted values of 
the access number counter 51 and the error number ac- 
cumulative counter 57 therein in the RAM 34, and set an 
initial value 'OO'h therein. The storing area for the counted 
values in the RAM 34 may be cleared to the initial value 
'OO'h by a hardware reset when the IC card 30 is inserted 
in a reader/writer of the external apparatus (the transac- 
tion apparatus). 

If no security additional information is set in the IC 
card 30 according to this invention, the check on the 
number of file accesses or the check on a transaction 
period for each transaction become NOP (No Operation) 
so as to make it possible set the security to a level of only 
the security basic information similarly to the prior art. 

A concept of the security of the IC card 30 with the 
above structure according to this invention at the time of 
file access will be described referring to FIG. 8. As shown 
in FIG. 8, there are set "OK", "OK", "NG"and "NG" to the 
service provider the card issuer, the service executor 
and the card holder respectively, in the IC card 30 as the 
read right (the access right) for a file 32F in the storage 
32. Namely, the service provider and the card issuer are 
permitted to perform a read process on that file 32F. 

Under such setting condition of the read right, if an 
application operable in an access capability of the serv- 
ice executor issues a read command, the IC card 30 re- 
jects the read access to that file 32F owing to the function 
of the security basic check unit 42 since the access right 
of the service executor to read that file 32F is set as "NG", 
as shown in FIG. 8. 

To the contrary, if an application operable in an ac- 
cess capability of the service provider issues a read com- 
mand (READ), the IC card 30 judges that file 32F is ac- 
cessible to be read owing to the function of the security 
basic check unit 42 since the read right of the service 
provider to read that data file is set as "OK". 

In the prior art, if the security basic check unit 42 
judges "OK" as above, a read access to that file 32F is 
immediately permitted. According to this embodiment, 
the security additionally check unit 43 checks on the 
number of accesses and a transaction period as in the 
next stage. 

In FIG. 8, an arrow A1 denotes an example in which 



the security additionally check unit 43 judges that the 
conditions set on the basis of the security additional in- 
formation are satisfied, thus permits a read access to that 
file 32F. An arrow A2 denotes an example in which the 
s security additional check unit 43 judges that the condi- 
tions set on the basis of the security additional informa- 
tion are not satisfied, thus prohibits a read access to that 
file 32F. 

According to this embodiment, if the error judging 
^0 unit 55 in the security additional check unit 43 judges that 
this read command arrives within a range of the permis- 
sible number of read accesses after the start of the trans- 
action as a result of comparison by the first comparing 
unit 53 (a result of comparison of a counted value of the 
?5 access number counter 51 with the permissible number 
of accesses), the IC card 30 permits a read access to 
that file 32F 

On the other hand, the read command arrives be- 
yond the range of the permissible number of read ac- 
cesses from the start of the transaction, the error judging 
unit 55 judges that an error has occurred so that the IC 
card 30 interrupts the transaction, makes the error accu- 
mulative counter 57 count up a counted value, and per- 
forms the following process. 

To begin with, the error number comparing unit 58 
compares the counted value of the error number accu- 
mulative counter 57 with the permissible number of oc- 
currence of error If the counted value is larger than the 
permissible number of errors [(the counted value) < (the 
permissible number of occurrence of error)], the error no- 
tifying unit 56 notifies occurrence of error as a response 
to the command from the external apparatus. If the 
counted value is equal to or larger than the permissible 
number of errors [(the counted value) ^ (the permissible 
numberof occurrence of error)], the inactivation directing 
unit 59 outputs an inactivation directing signal to switch 
the state of the IC card 30 into an inactive state (a card 
lock state), while the error notifying unit 56 notifies oc- 
currence of error as a response to the command issued 
from the external apparatus. After the switching to the 
inactive state, the IC card 30 is unusable so long as the 
inactive state of the IC card 30 is released in a formal 
procedure. 

If the permissible transaction period is set in the sub 
directory area 32E in the IC card 30 of this embodiment 
as the security additional information, the timer 52 is 
cleared to be activated when the IC card 30 is inserted 
in the reader/writer (not shown) to reset the hardware. 

The second comparing unit 54 in the security addi- 
tional check unit 43 compares every time a measured 
value of the timer 52 with the permissible transaction pe- 
riod. If the transaction ends up within a range of the per- 
missible transaction period, the IC card 30 is discharged 
so that the transaction is terminated normally. 

If the measured value of the timer 52 exceeds the 
transaction permissible period, the error judging unit 55 
judges that an error has occurred so as to interrupt the 
transaction. The error number accumulative counter 57 
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then counts up a counted value and the IC card 30 per- 
forms the same process as in a case where the number 
of accesses exceeds the permissible number of access- 
es. 

More specifically, if the counted value is smaller than 
the permissible number of occurrence of errors [(the 
counted value) < (the permissible number of errors)] as 
a result of comparison by the error occurrence number 
comparing unit 58, the error notifying unit 56 notifies only 
occurrence of error as a response to the command. If the 
counted value is equal to or larger than the permissible 
number of errors [(the counted value) ^ (the permissible 
number of errors), the inactivation directing unit 59 inac- 
tivates the IC card 30 itself (that is, makes the IC card 
30 to be in a card lock state), while the error notifying unit 
56 notifies occurrence of error. As same as in the above 
case, the IC card is unusable until a formal procedure is 
taken to release the inactive state. 

According to this embodiment, the security basic 
check unit 42 makes a check on the basis of the security 
basic information, next the security additional check unit 
43 makes a check according tO the conditions set in the 
directory area 32B as the security additional information, 
thereby strengthening the security. 

If the security additional information is not set in the 
directory area 32B, only the security basic check unit 42 
makes a check on the basis of the security basic infor- 
mation as same as in the prior art. 

An operation of the IC card 30 according to this em- 
bodiment at the time of file access (that is, an operation 
to check the number of accesses) will be next described 
by reference to a flowchart (Steps SI through SI 4) 
shown in FIG. 9. 

When the IC card 30 is inserted in an upper appa- 
ratus (a reader/writer), the upper apparatus sends a file 
open instruction to the IC card 30 to judge whether the 
IC card 30 is in a lock state (an inactive slate) or not 
(Step S1). 

If in the lock state (YES decision), the IC card 30 
notifies an error to the upper apparatus not so as to start 
a transaction. If not in the lock state (NO decision), the 
IC card 30 opens a file that is an object of an access from 
the upper apparatus (Step S2). In the case where the 
permissible transaction period is set as the security ad- 
ditional information, the IC card 30 activates the timer 52 
by a hardware reset, then notifies a normal start of the 
transaction to the upper apparatus. 

When the file is opened as in the above manner, the 
upper apparatus notifies an authentication code to the 
IC card 30. The IC card 30 refers the security basic in- 
formation [an authentication code (an access capability) 
for that file] in the storage 32 (Step S3). The security ba- 
sic check unit 42 then checks the authentication code, 
in other words, checks on whether the upper apparatus 
has a capability to get an access to that file (Step S4). If 
the authentication code is appropriate for that file, the IC 
card notifies it to the upper apparatus (YES decision), 
then lakes the next step (a file access process). If the 



authentication code is inappropriate for that file (NO de- 
cision), the IC card 30 notifies an error to the upper ap- 
paratus, then interrupts the transaction. 

If the authentication code is judged to be appropriate 
s for that file as a result of the authentication code check 
(the access capability check), the IC card 30 is informed 
of a file access command from the upper apparatus. 
When receiving the access command, the I C card points 
a file 32R which is an object of the access, from the di- 
70 rectory area 32B on the basis of the pointer while making 
a reference to the security basic information about that 
file 32F (Step S5). The security basic check unit 42 then 
makes a check on the access right, that is, checks on 
whether the access command fed from the upper appa- 
75 ratus is of a type of access that is permitted for the access 
capability of the upper apparatus (Step S6). 

If the type of the access command is not permitted 
for that file (NO decision), the IC card notifies an error to 
the upper apparatus so as to interrupt the transaction. If 
the type of the access command is permitted for that file 
(YES decision), the access number counter 51 counts 
up a counted value (Step S7). 

The IC card 30 then refers to the security additional 
information (the permissible number of accesses ac- 
cording to the access capability and the access right set 
for that file) in the storage 30, while referring to a counted 
value of the access number counter 51 in the RAM 34 
(Step S8). The first comparing unit 53 compares the 
counted value of the access number counter 51 with the 
permissible number of accesses (Step S9). If the count- 
ed value is equal to or smaller than the permissible 
number of accesses [(the counted value) ^ (the permis- 
sible number of accesses)] as a result of the comparison 
(YES decision), the file access unit 44 executes an file 
access according to the access command (Step SI 4). 

If the count value is larger than the permissible 
number of accesses [(the counted value) > (the permis- 
sible number of accesses)] as a result of comparison by 
the first comparing unit 53, the error judging unit 55 judg- 
es occurrence of error so that the IC card 30 interrupts 
the transaction by that access command, the error 
number accumulative counter 57 then counts up the 
counted value (Step S10). 

After that, the IC card 30 makes reference to the se- 
curity additional information (the permissible number of 
occurrence of error) in the storage 32 and to the counted 
value of the error number accumulative counter 57 in the 
RAM 34 (Step S11). The error number comparing unit 
58 then compares the counted value of the error number 
accumulative counter 57 with the permissible number of 
errors. (Step SI 2). If the counted value is smaller than 
the permissible number of errors [(the counted value) < 
(the permissible number of errors)] as a result of the com- 
parison (YES decision), the error notifying unit 56 notifies 
only an error as a response to the command from the 
outside. 

If the counted value is equal to or larger than the 
permissible number of errors [(the counted value) ^ (the 



25 



30 



35 



40 



45 



SO 



55 



13 



25 



EP 0 696 016 A2 



26 



permissible number of occurrence of errors)] as a result 
of comparison by the error number comparing unit 58. 
(NO decision), the inactivation directing unit 59 outputs 
an inactivation directing signal to make the IC card 30 
itself be in the inactive state (the card lock state) (Step 
S1 2). The error notifying unit 56 then notifies an error as 
a response to the command from the outside. 

If the permissible transaction period is set in the sub 
directory area 32E as the security additional information, 
though not shown in FIG. 9, the second comparing unit 
54 in the security additional check unit 43 concurrently 
compares the counted value of the timer 52 with the per- 
missible transaction period at any time, as stated above. 
If the transaction is terminated within a range of the per- 
missible transaction period, the IC card 30 terminates the 
transaction normally. If the counted value of the timer 52 
exceeds the permissible transaction period, the error 
judging unit 55 judges that an error has occurred at that 
point so that the I C card 30 interrupts the transaction and 
performs the above-mentioned process at the Steps S7 
through S13. 

More detailed description will be made by way of a 
practical example shown in FIGS. 10(A) and 10(B). FIG. 
10(A) is a diagram of a command sequence for illustrat- 
ing an operation of a rightful application where this em- 
bodiment is applied. FIG. 10(B) is a diagram of a com- 
mand sequence for illustrating an operation of an un- 
rightful application where this embodiment is also ap- 
plied. Here is also description about a check on the 
number of accesses for each transaction as the security 
additional information. 

As shown in FIGS. 10(A) and 10(B), assuming an 
application where a balance and a term of validity of the 
balance are set in the file 32F in the IC card 30, and if 
the balance is not used within the term of validity, the 
balance becomes invalid. Assuming also that, one is set 
to the permissible number of read accesses, to the per- 
missible numberof write accesses and to the permissible 
number of errors as the security additional information. 

Here, the upper apparatus operative with a rightful 
application A performs a process to read the balance 
from the IC card 30 by a read access command, update 
the balance and write the balance in the IC card 30 by a 
write access command. In this case, the process is per- 
formed normally since the number of each of the read 
accesses and the write accesses is one. 

On the other hand, the upper apparatus operative 
with an unrightful application A' trying to updata the term 
of validity of the balance after update of the balance 
gains two read accesses and two write accesses in one 
transaction, as shown in FIG. 10(B). As a result, the 
number of the accesses exceeds the permissible 
number of accesses set as the security additional infor- 
mation. In consequence, the accesses of the read and 
write in relation with the term of validity of the balance 
become error the transaction is therefore interrupted so 
as to be rejected. 

The second unrightful writing process (update f the 



termof validity of the balance) shown in FIG. 10(B) caus- 
es the error number accumulative counter to count two 
so that the counted value exceeds the permissible 
number of errors. As a result, the IC card 30 becomes 
5 the inactive state (the card lock state) at this point. After 
that, all processes will be rejected. For example, even if 
a normal application is activated again under such inac- 
tive state, the process is incapable. 

According to the first embodiment of this invention, 
10 the permissible number of accesses set for each of the 
access capability, the access right and the file is kept as 
the security additional information together with the con- 
ventional security basic information in the directory area 
32B managing the data area 32A in the IC card 30 so 
75 that it is possible to manage the security by checking the 
number of accesses to the file with the security additional 
information in each transaction within the IC card 30. 

If information about a relation between the access 
capability and the access right leaks outside, or if infor- 
mation about the access capability and the access right 
is unrightfully acquired by another person, it is possible 
to prevent an access from an unrightful application with 
certainty and to strengthen greatly the security check at 
the time of access to the file. 

By watching both of the permissible number of ac- 
cesses and a permissible transaction period, it is possi- 
ble to interrupt a transaction if accesses of the number 
more than necessary is got to the IC card 30 during one 
transaction and if a transaction is done on the IC card 30 
for a period longer than necessary. This may further 
strengthen the security. 

Further if the number of errors exceeds the permis- 
sible number of errors during one transaction in the IC 
card 30, the IC card is made inactive so as to reject all 
accesses from the outside, thereby stilt further strength- 
ening the security. 

If occurrence of error is found in the various checks, 
or if the card-type storage medium is inactivated, the up- 
per apparatus (the reader/writer the transaction appara- 
tus or the terminal apparatus) is informed of an error as 
a response. The upper apparatus trying an access to the 
IC card 30 displays an error or performs a process similar 
to that so as to immediately deal with the error 

An employment of the above-mentioned IC card 30 
according to this embodiment to a system including a ter- 
minal apparatus having a reader/writer for the IC card, a 
terminal apparatus connected to an independent read- 
er/writer for the IC card or an upper apparatus (a host) 
for such the terminal apparatus is helpful to strengthen 
the security of the entire system. 

According to this embodiment, the additional infor- 
mation such as the permissible number of accesses is 
combined with the security basic information, that is, the 
security basic information about the access capability 
and the access right corresponding to that access capa- 
bility as stated above. This is very helpful to improve a 
level of the security for the system employing the IC card 
30 and to contribute to an improvement of the security 



25 



30 



35 



40 



45 



50 



14 



27 



EP0 696 016 A2 



28 



of the system where a high-level security is required (a 
cash card, a credit card, etc.)- 

According to the above-mentioned first embodi- 
ment, both of the permissible number of accesses and 
a permissible transaction period are set as the security 
additional information to check concurrently the number 
of the accesses and a transaction period. It is, however, 
possible to check either the number of accesses or a 
transaction period. 

(c) Description of Second Embodiment 

FIG. 11 is a block diagram of a card-type storage 
medium and a transaction apparatus according to a sec- 
ond embodiment of this invention. In FIG. 11, reference 
numeral 60 denotes an IC card (a card-type storage me- 
dium). The IC card 60 has a microprocessor unit (MRU) 
61 as a control unit and a storage (a file area: an EPROM 
or an EEPROM^ for example) 62 as a storage unit. The 
IC card 60 is connected to a transaction apparatus 80, 
which has been hereinbefore described by reference to 
FIGS. 1 4 and 1 5, via the terminal unit (not shown in FIG. 
1 1 ), as same as the IC card 30 according to the first em- 
bodiment. 

The storage 62 includes a data area in which a plu- 
rality of data files 62C are kept and a directory area 62B 
in which control information about each of the data files 
62C in the data area 62A is kept. 

The MRU 61 manages each of the data files 62C in 
the data area 62A in the storage 62 on the basis of the 
control information in the directory area 62B. The MRU 
61 has a function to perform a process according to an 
access command when receiving the access command 
from an external apparatus. 

The MRU 61 according to this embodiment has a 
ROM 63 keeping a program therein to carry out a control 
operation and a RAM 64 used as a work area when the 
control operation is carried out. The MRU 62 also has 
another functional elements as shown in FIG. 1 1 , that is. 
a node ID generating unit (a unique identifier generating 
means) 65, an enciphering unit 66, a node ID notifying 
unit (a unique identifier notifying means) 67, a decipher- 
ing unit 68, a first comparing unit 69, a first judging unit 
70, a second comparing unit 71, a second judging unit 
72 and an error notifying unit 73. 

When a transaction is started between the IC card 
60 and a transaction apparatus (an external apparatus) 
80, which will be described later, and a file that is an ob- 
ject of an access from the transaction apparatus is de- 
termined, the node ID generating unit 65 generates a 
node ID (a node identifier; a unique identifier) for this 
transaction. There is no specific rule to generate the 
node ID by the node ID generating unit 65. It is, for ex- 
ample, possible to use a function generating pseu- 
do-random numbers or the like (that is, a function gen- 
erating numbers dynamically and randomly) and use the 
generated pseudo-random numbers or the like as a node 
ID. 



The enciphering unit 66 enciphers the node ID gen- 
erated for the transaction by the node ID generating unit 
65 with a first encipherment key using an encipherment 
function. Hereinafter, a ciphertext will be described as E 
s (a plaintext) and a deciphered text will be described as 
D (a plaintext), occasionally. Here, "E" is the first letter 
of a term "encipher" that means enciphering, and "D" is 
the first letter of a term of "decipher" that means deci- 
phering. 

10 The node ID notifying unit 67 notifies, to the trans- 
action apparatus 80, a ciphertext node ID obtained in en- 
cipherment by the enciphering unit 66 as response infor- 
mation when the file is determined along with a plaintext 
node ID before the encipherment. More specifically, the 
15 node IC being notified to the transaction apparatus 80 
from the IC card 60 is in a form of "(a plaintext) + E (a 
plaintext)" in this embodiment. 

When informed of a file access command in which 
a node ID in a form of "(a plaintext) + E (a plaintext)" is 
given as a parameter from the transaction apparatus 80, 
the deciphering unit 68 deciphers a ciphertext node ID 
[E (a plaintext)] with a second encipherment key using 
an encipherment function to obtain a deciphered text D 
(a plaintext) of the node ID. The second encipherment 
key and the encipherment function used in the decipher- 
ing unit 68 are identical to a second encipherment key 
and an encipherment function used to encipher in an en- 
ciphering unit 84 in the transaction apparatus 80 if the 
IC card 60 or the transaction 80, which will be described 
in detail later are rightful. 

The second comparing unit 71 compares the deci- 
phered text node ID [D (a plaintext) obtained in decipher- 
ment by the deciphering unit 68 with the plaintext node 
ID supplied from the transaction apparatus 80. The sec- 
ond judging unit 72 judges that the access command is- 
sued from the transaction apparatus 80 is rightful if the 
deciphered text ID is in agreement with the plaintext 
node ID as a result of the comparison by the second com- 
paring unit 71 . If the second judging unit 72 judges that 
the access command issued from the transaction appa- 
ratus 80 is rightful, the procedure proceeds to the next 
step conducted in the first comparing unit 69. 

The first comparing unit 69 compares the node ID 
(either the plaintext node ID or the deciphered text node 
ID) given to the access command fed from the transac- 
tion apparatus 80 with a node ID generated by the node 
ID generating unit 65 for this transaction. The first judging 
unit 70 judges that the access command fed from the 
transaction apparatus 80 is for this transaction if these 
node IDs are in agreement with each other as a result of 
comparison by the first comparing unit 69. If the first judg- 
ing unit 70 judges that the access command fed from the 
transaction apparatus 80 is for this transaction, the IC 
card 60 performs a process according to the access 
command fed from the transaction apparatus 80. 

If the node IDs are in disagreement as a result of the 
comparison by the first comparing unit 69 or the second 
comparing unit 71, in other words, the first judging unit 
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70 judges that the access comtnand from the transaction 
apparatus 80 is not for this transaction, or if the second 
judging unit 72 judges that the access command fed from 
the transaction apparatus 80 is unrightful, the error noti- 
fying unit 73 notifies an error (an error response) as a s 
response to the access command from the transaction 
apparatus 80. 

Meanwhile, the transaction apparatus 80 according 
to this embodiment accesses to the IC card 60 to exe- 
cutes a transaction therewith. The transaction apparatus io 

80 is provided with a deciphering unit 81, a comparing 
unit 82, a judging unit 83, a ciphering unit 84 and a noti- 
fying unit 85. 

When informed of a node ID in the form of "(a plain- 
text) -f- E (a plaintext)" from the IC card 60 when a trans- ^5 
action with the IC card 60 is started, the deciphering unit 

81 deciphers the ciphertext node ID [E (a plaintext)] with 
a first encipherment key using an encipherment function 
to obtain a deciphered text D (a plaintext) of the node ID. 
The first encipherment key and the encipherment func- 20 
tion used in the deciphering unit 81 are identical to the 
first encipherment key and the encipherment function 
used in encipherment by the ciphering unit 66 in the IC 
card 60 if this transaction apparatus 80 or the 
above-mentioned IC card 60 is rightful. 25 

The comparing unit 82 compares the deciphered 
text node ID .[D (a plaintext)] obtained in decipherment 
by the deciphering unit 81 with a plaintext node ID sup- 
plied from the IC card 60. 

If the deciphered text node ID is in agreement with 30 
the plaintext node ID as a result of the comparison by 
the comparing unit 82, the judging unit 83 judges that the 
IC card 60 is rightful to this transaction apparatus 80. If 
the judging unit 83 judges that the IC card 60 is rightful, 
the procedure proceeds to the next step conducted in 35 
the deciphering unit 84. 

The deciphering unit 84 deciphers the node ID (ei- 
ther a plaintext node ID or the deciphered text node ID) 
fed from the IC card 60 with the second encipherment 
key using the encipherment function. The second enci- 
pherment key and the encipherment function used in the 
deciphering unit 84 are identical to the second encipher- 
ment key and the encipherment function used to deci- 
pherment in the deciphering unit 68 in the IC card 60 if 
this transaction apparatus 80 or the above-mentioned IC -^5 
card 60 is rightful. 

The notifying unit 85 notifies an access command in 
which a node ID in the form of "(a plaintext) + E (a plain- 
text)" is given as a parameter to the IC card 60 until this 
transaction with the IC card 60 ends up. The ciphertext so 
node ID [E (a plaintext)] given to the access command 
by the notifying unit 85 is what has been ciphered by the 
ciphering unit 84. 

An operation at the time of file access in the process 
of the IC card 60 and the transaction apparatus 80 with 55 
the above structures according to this embodiment will 
be next described by reference to a flowchart (Step S21 
through S30) shown in FIG. 12. 



When the IC card 60 is inserted to the transaction 
apparatus 80 (a reader/writer), the transaction apparatus 
notifies a file open direction and the like to the IC card 
60 to make a security check as, for example, described 
in the first embodiment. If a result of the security check 
is OK, the transaction apparatus 80 notifies a file deter- 
mining command to the IC card 60 so that the IC card 
60 performs a file determining process (Step 821 ). 

If a file that is an object of an access is determined 
in compliance to a request from the transaction appara- 
tus 80 to determine the file of the IC card 60, the node 
ID generating unit 65 in the IC card 60 generates a node 
ID for this transaction (Step 822). 

The node ID generated by the node ID generating 
unit 65 is retained in the storage 62 in the IC card 60 until 
the hardware is reset when the IC card 60 is inserted into 
the transaction apparatus or the like next time. The node 
ID at the preceding time is erased from the storage 32 
so that the node ID may become unique for each trans- 
action. 

The node ID generated by the node ID generating 
unit 65 is notified to the transaction apparatus 80 from 
the node ID notifying unit 67. At this time, it is possible 
to notify the node ID in a form of a plaintext or in a form 
of a ciphertext obtained by ciphering the node ID. It is 
further possible to notify the node ID in the form of "(a 
plaintext) + (a ciphertext)" [(a plaintext) + E (a plaintext)] 
where both of the plaintext node ID and the ciphertext 
node ID are notified. 

Referring now to FIG. 12, or FIG. 13 showing an 
practical example which will be described later descrip- 
tion will be made of a case where the node ID in the form 
of "(a plaintext) + E (a plaintext), that is, in the last form 
at the highest-security level, is exchanged between the 
IC card 60 and the transaction apparatus 80. 

According to the second embodiment, as shown in 
FIG. 12, a node ID generated by the node ID generating 
unit 65 is enciphered with a first encipherment key using 
an encipherment function in the enciphering unit 66 
(Step 823). The node ID notifying unit 67 then notifies a 
ciphertext node ID [E (a plaintext)] obtained in the enci- 
phering unit 66 and a plaintext node ID before the enci- 
pherment to the transaction apparatus 80. 

In the transaction apparatus 80 that has been in- 
formed of the node ID, the deciphering unit 81 first deci- 
phers the ciphertext node ID [E (a plaintext)] with a first 
encipherment key using an encipherment function (Step 
824). The comparing unit 82 then compares and collates 
a deciphered text node ID [D (a plaintext)] obtained in 
the deciphering unit 81 with the plaintext node ID in- 
formed from the IC card 60 (Step S25). 

If the deciphered text node I D and the plaintext node 
ID are in agreement with each other as a result of the 
comparison, the judging unit 83 judges that the IC card 
60 is rightful to the transaction apparatus 80, and the pro- 
cedure proceeds to the next process. 

If the deciphered text node I D and the plaintext node 
ID are in disagreement, the judging unit 83 judges that 
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data were altered when the IC card 60 notified the node 
ID to the transaction apparatus 80, or this IC card 60 is 
not an object of an application of the transaction appa- 
ratus 80 since the encipherment key and the encipher- 
ment function in the IC card 60 differ from those in the 5 
transaction apparatus 80. As a result, the judging unit 83 
interrupts the transaction, then discharges the IC card 
60. 

If the deciphered text node ID coincides with the 
plaintext node ID, after that, the node ID is enciphered io 
with a second enciphernnent key using an encipherment 
function in the enciphering unit 84 when the transaction 
apparatus 80 issues a file access command to the IC 
card 60 (Step S26). The notifying unit 85 notifies the cl- 
phertext node ID [E (a plaintext)] obtained by the enci- 75 
phering unit 84 and the plaintext node ID before the en- 
cipherment in a state where they are given as a param- 
eter to the file access command to the IC card 60. 

In the IC card 60 informed of the node ID in the form 
of "(a plaintext) + E (plaintext)" as the parameter for the 20 
file access command, the deciphering unit 68 deciphers 
the ciphertext node ID [E (a plaintext)] with a second en- 
cipherment key using an encipherment function (Step 

527) . The second comparing unit 71 compares and col- 
lates the deciphered text node ID [D (a plaintext)] ob- 25 
tained in the deciphering unit 68 with the plaintext node 

ID informed from the transaction apparatus 80 (Step 

528) . 

If the deciphered text node ID is in agreement with 
the plaintext node ID as a result of the comparison, the 30 
second judging unit 72 judges that the access command 
from the transaction apparatus 80 is rightful. The first 
comparing unit 69 then compares and collates the node 
ID (the deciphered node ID or the plaintext node ID) with 
a node ID generated by the node ID generating unit 65 3S 
for this transaction and kept in the storage 62 (Step 829). 

If these node IDs are in agreement with each other 
as a result of the comparison, the first judging unit 70 
judges that the file access command from the transaction 
apparatus 80 is for this transaction, in other words, the 40 
application (the transaction apparatus 80) having issued 
the file access command is identical to the application 
having performed the file determining process, defines 
the application to perform an actual file access process 
(Step S30), and notifies that result as a response to the ^5 
transaction apparatus 80. 

It is considered that if the node ID designated by the 
parameter of the file access command is identical to the 
node ID kept in the IC card 60, the node ID generated in 
the IC card 60 is known to the application. It is therefore so 
possible to judge that the application trying to get an ac- 
cess to the file is rightful since that node ID can be known 
to only the application that has performed the file deter- 
mining process. 

If the node IDs are in disagreement as a result of the S5 
comparison at the Step S28 (by the second comparing 
unit 71), the second judging unit 72 judges that any al- 
teration was done on the data when the node ID was 
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notified to the transaction apparatus 80 from the IC card 
60, or the IC card 60 is not an object of the application 
of the transaction apparatus 80 since the encipherment 
key and the encipherment function in the IC card 60 differ 
from those in the transaction apparatus 80. The error no- 
tifying unit 73 then notifies an error as a response to the 
access command. 

If the node I Ds are in disagreement as a result of the 
comparison at the Step S29 (by the first comparing unit 
69), the first judging unit 70 judges that the transactor 
apparatus 80 (the application) having issued the access 
command has not performed the file determining proc- 
ess. The error notifying unit 73 then notifies an error as 
a response to the access command. 

As above, the error is informed to the transaction ap- 
paratus (the upper apparatus) as a response. The trans- 
action apparatus 80 having tried an access to the IC card 
60 interrupts the transaction. After that, the transaction 
apparatus 80 displays the error, discharges the IC card, 
etc., or performs a process similar to that so as to imme- 
diately deal with that error. 

More concrete example will be next described refer- 
ring to FIG. 13. This example is on the supposition that 
in a medical institution an application A for writing diag- 
nostic information and another application B for settling 
a result of the diagnosis try to get accesses simultane- 
ously to the same IC card 60. Namely, a plurality of ap- 
plications can get accesses simultaneously to the same 
IC card 60 in this system. 

Here, the diagnostic information writing application 
A;^ accesses to a diagnostic information file and a 
medical treatment fee settling application Ag accesses 
to a money sum information file Fg . The IC card 60'must 
accept commands from a plurality of applications, so it 
is necessary for the IC card 60 to accept an access from 
only an application having performed a determining 
process on a file that is an object of the access. 

When the IC card 60 according to this embodiment 
receives a file determining command for the diagnostic 
information file F^ from the diagnostic information writing 
application Ay^ [refer to (1) in FIG. 13], the IC card 60 
generates a node ID = "01 " for the command, as stated 
above. This node ID is not specifically limited to "01" 
since it is generated randomly. The IC card 60 notifies 
this node ID to the application A^. The node ID = "01 " is 
an ID that can be known to only the application A^^. 

If the IC card 60 enciphers the node ID with a cipher 
key A common to that of the application A^ [refer to (2) 
in FIG. 13), and notifies the node ID in the form of "a 
plaintext + E^ (node ID = "01")" [refer to (3) in FIG. 13], 
only the application can decipher that node ID, whereby 
the security may be more strengthened. 

More specifically, the application A^ having been in- 
formed of the node ID in the form of "a plaintext + E^ 
(node ID = "01 ")" from the IC card 60 judges whether the 
deciphered node ID [D^ (node ID = "01")] obtained by 
deciphering the ciphertext node ID [E^^ (node ID = "01 ")] 
is in agreement with the plaintext node ID or not [refer to 
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(4) in FIG. 13]. 

If the node IDs are in agreement as a result of the 
judgennent. after that, the IC card 60 accepts an access 
command from the application A^^ by designating this 
node ID - "01 " since the access to the file is identical 
to that of the application having performed the file deter- 
mination. 

The application Aq may become accessible to the 
file Fq by performing the same process on the file Fg 
[refer to (1) through (5) in FIG. 13]. In the process be- 
tween the application Ag and the file Fg, there is used, 
for example, "02" generated randomly as the node ID. 

In the above manner, the management of the appli- 
cations with the node IDs makes it possible to manage 
accesses to the same application from a plurality of ap- 
plications. 

For instance, if the diagnostic information applica- 
tion A^ tries to get an access unrightfully to the money 
sum information file Fg, the application A^^ cannot access 
to the file Fg since the node ID notified to the application 
Fq is unknown to the application A/^. Accordingly it is 
possible to prevent the money sum information or the 
like in the money sum information file Fq from being op- 
erated unrightfully. 

According to the second embodiment of this inven- 
tion, the node ID is generated dynamically in the IC card 
60 and notified to the application (the transaction appa- 
ratus 80) so as to realize a unique node ID for each trans- 
action. Further the node ID is enciphered and the enci- 
pherment key is held commonly in the IC card 60 and 
the upper apparatus (the transaction apparatus 80) so 
as to prevent data tapping when the node ID is notified. 

This node I D is what can be known to only the rightful 
application, so only the rightful application may encipher 
or decipher this node !D. An unrightful application cannot 
encipher or decipher this node ID since it is impossible 
for the unrightful application to get information about the 
enctpherment key and the like. 

The management of the applications issuing com- 
mands in the above manner makes it possible to specify 
an application accessing to the IC card 60 so as to 
strengthen the security. Even in a system in which a plu- 
rality of applications operate in parallel, while an appli- 
cation is accessing to a certain file in the IC card to do a 
transaction therewith, it is possible, with certainty, to pre- 
vent an unrightful different application from accessing to 
that file in the same IC card to do an unfair act thereon. 

If occurrence of an error is found in the above vari- 
ous checks, the transaction apparatus 80 is informed of 
an error as a response. The transaction apparatus 80 
having accessed to the IC card 60 may display an error 
or other process similar to that so as to immediately deal 
with the error. 

Employment of the IC card 60 and the transaction 
apparatus 80 above-mentioned according to this embod- 
iment to a system including a terminal apparatus incor- 
porated a reader/writer for IC card therein, a terminal ap- 
paratus connected to an independent reader/writer for 



IC card or an upper apparatus having such terminal may 
improve the security of the entire system. 

This embodiment is helpful to ensure sufficient se- 
curity of a system in which a plurality of applications may 
5 access to one IC card 60, and to cope with various needs 
of the users that may occur in the future. 

According to this embodiment, it is possible to en- 
hance the security to a sophisticated level as compared 
with the convention security system. In the case of an 

^0 access from a sole application, it is, of course, possible 
to ensure sufficient security and contribute to an im- 
provement of the security of a system (a cash card, a 
credit card, etc.) that requires a high-level security 

In the second embodiment described above, the 

75 node ID in the form of "(a plaintext) + E (a plaintext)" is 
exchanged between the IC card 60 and the transaction 
apparatus 80. It is, however, possible to notify a node ID 
in the form of a plaintext or a node ID in the form of a 
ciphertext [only E (a plaintext)]. 

^0 If a node ID in the form of a plaintext Is notified, the 
enciphering unit 66, deciphering unit 68, the second 
comparing unit 71 , the second judging unit 72, the deci- 
phering unit 81, the comparing unit 82, the judging unit 
83 and the deciphering unit 84 shown in FIG. 1 1 become 

25 unnecessary. Further, the Steps S23, S24, S25, S26, 
S27 and S28 are omitted in FIG. 1 2. 

If a node iD in the form of a ciphertext [only E (a 
plaintext)] is notified, the second comparing unit 71, the 
second judging unit 72, the comparing unit 82 and the 

30 judging unit 83 in FIG. 11 become unnecessary Further, 
the Steps S25 and S28 in FIG. 12 are omitted. In the 
case where the transaction apparatus 80 gives the ci- 
phertext node ID having been informed from the IC card 
60 to the access command as it is, the deciphering unit 

35 81 and the enciphering unit 84 in FIG. 11 become un- 
necessary. Further, the Steps 824 and S26 in FIG. 12 
are omitted. In which case, the deciphering unit 68 in the 
IC card 60 deciphers the ciphertext node ID with the first 
encipherment key using the enclpherment function. 

'^o_ In the second embodiment described above, the first 
encipherment key may be identical to the second enci- 
pherment key. The first comparing unit 70 in the IC card 
60 may compare and collate the node ID with the node 
ID kept in the tC card 60 by enciphering the node ID in 

^5 the IC card 60 with the second encipherment key. 

The second embodiment may be carried out after 
the security checks on the basis of the security basic in- 
formation and the security additional information accord- 
ing to the first embodiment and file determination. In 

50 which case, it is possible to more enhance the security 
function of the IC card. 

As having been described the first and second em- 
bodiments where the card-type storage medium is an IC 
card, this invention should' not be limited to the above 

55 example. If this invention is applied to a card-type stor- 
age medium of another type, for example, an optical 
card, the same functions and effects as the above em- 
bodiments are available. 
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lims 

A method for managing security for a card-type stor- 
age medium (1 A) having a storage unit (2A) keeping 
a data file therein, comprising the steps of; 5 

setting the permissible number of accesses in 
one transaction for said data file; 

counting the number of accesses to said data 
file after a start of a transaction when said transac- 
tion is started between said card-type storage io 
medium ( 1 A) and a transaction apparatus accessing 
to said card-type storage medium (1A) to execute 
said transaction, comparing the number of accesses 
counted with said permissible number of accesses 
set beforehand, judging that an error has occurred ^5 
if said number of accesses exceeds said permissible 
number of accesses, and interrupting said transac- 
tion. 

A method for managing security for a card-type stor- 
age medium (1 B) having a storage unit (2B) keeping 
a data file therein comprising the steps of 

setting beforehand a permissible access 
period to said data file in one transaction: 

measuring, an access period to said data file 25 
after a start of a transaction when said transaction 
is started between said card-type storage medium 
(18) and a transaction apparatus accessing to said 
card-type storage medium (IB) to execute said 
transaction therewith, comparing the access period 30 
measured with said permissible access period set 
beforehand, judging occurrence of error if said 
access period exceeds said permissible access 
period, and interrupting said transaction. 

35 

A method for managing security for a card-type stor- 
age medium (1 C) having a storage unit (2C) keeping 
a data file therein comprising the steps of: 

setting beforehand the permissible number of 
accesses and a permissible access period for said 40 
data file in one transaction; 

counting the number of accesses and meas- 
uring an access period to said data file after a start 
of a transaction when said transaction is started 
between said card-type storage medium ( 1 C) and a ^5 
transaction apparatus accessing to said card-type 
storage medium (1C) to execute the transaction 
therewith, comparing the number of accesses 
counted with said permissible number of accesses 
set beforehand and comparing the access period so 
measured with said permissible access period, judg- 
ing that an error has occurred if said number of 
accesses exceeds said permissible number of 
accesses or if said access period exceeds said per- 
missible access period, and interrupting said trans- 55 
action. 

A method for managing security for a card-type stor- 



age medium according to claim 1 or 3, wherein if a 
plurality of said data files are kept in said storage 
(2A, 2C), said permissible number of accesses for 
each of said data files is set beforehand and the 
number of accesses is counted for each of said data 
files. 

5. A method for managing security for a card-type stor- 
age medium according to claim 1 . 3 or 4, wherein 
said permissible number of accesses for each type 
of access is set beforehand for for said data file and 
the number of accesses is counted for each type of 
access. 

6. A method for managing security for a card-type stor- 
age medium according to any one of claim 1 through 

5, wherein if it is judged that said error has occurred, 
said transaction apparatus is informed of said error. 

7. A method for managing security for a card-type stor- 
age medium according to any one of claim 1 through 

6, wherein the number of said errors is accumulated, 
said number of errors accumulated is compared with 
the permissible number of errors, and said card-type 
storage medium (1A, IB, 1C) is inactivated if^said 
number of errors exceeds said permissible nuhnber 
of errors. 

8. A method for managing security for a card-type stor- 
age medium according to claim 7, wherein if said 
number of errors exceeds said permissible number 
of errors, said transaction apparatus is informed of 
an error. 

9. In a card-type storage medium having a storage unit 
(2A) having a data area keeping a data file therein 
and a directory area keeping control information 
about the data file in said data area therein and a 
control unit (3A) managing the data file in said data 
area in said storage unit (2A) on the basis of the con- 
trol information in said directory area in said storage 
unit (2A), the improvement comprising: 

said directory area in said storage unit (2A) 
being set beforehand the permissible number of 
errors for said data file in one transaction; 

said control unit (3A) comprising: 

a counting means (4A) counting the 
number of accesses to said data file after a start of 
a transaction when said transaction is started with 
an external apparatus; 

a comparing means (5A) comparing the 
number of accesses counted by said counting 
means (4A) with said permissible number of access 
set beforehand in said directory area in said storage 
unit (2A); and 

an error judging means (6A) judging that 
an error has occurred if said number of accesses 
exceeds said permissible number of accesses as a 
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result of comparison by said comparing means (5A), 
and interrupting said transaction. 

10. In a card-type storage medium having a storage unit 
(2B) having a data area keeping a data file therein 5 
and a directory area keeping control information 
about the data file in said data therein area and a 
control unit (3B) managing the data file in said data 
area in said storage unit (2B) on the basis of the con- 
trol information in said directory area in said storage lo 
unit (28), the improvement comprising: 

said directory area in said storage unit (28) 
being beforehand set a permissible access period 
for said data file in each transaction; 

said control unit (38) comprising: ?5 

a timer means (48) measuring an 
access period to said data file after a start of a trans- 
action when said transaction is started with an exter- 
nal apparatus; 

a comparing means (58) comparing the 20 
access period measured by said timer means (48) 
with said permissible access period set beforehand 
in said directory area in said storage unit (28); and 

an error judging means (68) judging that 
an error has occurred if said access period exceeds 25 
said permissible access period as a result of com- 
parison by said comparing means (58), and inter- 
rupting said transaction. 

11. In a card-type storage medium having a storage unit 
(2C) having a data area keeping a data file therein 
and a directory area keeping control information 
about the data file in said data area therein and a 
control unit (3C) managing the data file in said data 
area in said storage unit (2C) on the basis of the con- ^5 
trol information in said directory area in said storage 
unit (2C), the improvement comprising: 

said directory area in said storage unit (2C) 
being beforehand set the permissible number of 
accesses and a permissible access period for said -^o 
data file in one transaction; 

said control unit (3C) comprising; 

a counting means (4A) counts the 
number of accesses to said data file after a start of 
a transaction when said transaction is started with ^5 
an external apparatus; 

a timer means (48) measuring an 
access period to said data file after the start of said 
transaction; 

a first comparing means (5A) comparing 50 
the number of accesses counted by said counting 
means (4A) with said permissible number of 
accesses set beforehand in said directory area in 
said storage unit (2C); 

a second comparing means (58) com- 55 
paring the access period measured by said timer 
means (4B) with said permissible access period set 
beforehand in said directory area in said storage unit 
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(2C); and 

an error judging means (6C) judging that 
an error has occurred if said number of accessed 
exceeds said permissible number of accesses as a 
result of comparison by said first comparing means 
(5A) or if said access period exceeds said permissi- 
ble access period as a result of comparison by said 
second comparing means (58), and interrupting 
said transaction. 

1 2. A card-type storage medium according to claim 9 or 
1 1 , wherein if a plurality of said data files are kept in 
said storage unit (2A, 2C), said permissible number 
of accesses for each of said data files is set before- 
hand in said directory area in said storage unit (2A, 
2C), and said counting means (4A) counts the 
number of accesses for each of said data files. 

13. A card-type storage medium according to claim 9, 
11 or 12, wherein said permissible number of 
accesses is set beforehand for each type of access 
to said data file in said directory area in said storage 
unit, and said counting means (4A) counts the 
number of accesses for each type of access. 

14. A card-type storage medium according to any one 
of claim 9 through 13, wherein said control unit (3A, 
38, 3C) further comprises an error notifying means 
notifying an error to said external apparatus if said 
error judging means (6A, 68, 6C) judges that an 
error has occurred. 

15. A card-type storage medium according to any one 
of claim 9 through 1 4, wherein said control unit (3A, 
38, 3C) still further comprises; 

an accumulating means accumulating said 
number of errors; 

an error number comparing means comparing 
the number of errors accumulated by said accumu- 
lating means with the permissible number of errors 
set beforehand in said directory area in said storage 
unit (2A, 28, 2C); and 

an inactivating means inactivating said 
card-type storage medium if said number of errors 
exceeds said permissible number of errors as a 
result of comparison by said error number compar- 
ing means. 

16. A card-type storage medium according to claim 15, 
wherein said error notifying means notifies an error 
to said external apparatus if said number of errors 
exceeds said permissible number of errors as a 
result of comparison by said error- number compar- 
ing means. 

17. A method for managing security of a card-type stor- 
age medium (11) having a storage unit (12) keeping 
a data file therein comprising the steps of; 
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generating a unique identifier for a transaction 
in said card-type storage medium (11) when the 
transaction is started between said card-type stor- 
age medium (11) and a transaction apparatus (21) 
accessing to said card-type storage medium to exe- s 
cute the transaction therewith and the data file that 
is an object of an access of said transaction appa- 
ratus (21), notifying said unique identifier to said 
transaction apparatus (21); 

giving said unique identifier to an access com- to 
mand of said transaction apparatus (21) to said 
card-type storage medium (11) until an end of said 
transaction; and 

comparing said unique identifier given to the 
access command from said transaction apparatus '5 
(21 ) with another unique identifier generated for said 
transaction in said card-type storage medium (11), 
and performing a process according to the access 
command from said transaction apparatus (21) if 
these unique identifiers are in agreement. 20 



1 8. A method for managing security of a card-type stor- 
age medium according to claim 17, wherein the 
unique identifier generated for said transaction is 
enciphered with a first encipherment key in said 25 
card-type storage medium (11), a ciphertext of said 
unique identifier is notified to said transaction appa- 
ratus (21), and the ciphertext unique identifier from 
said card-type storage medium (11) is deciphered 
with said first encipherment key in said transaction 30 
apparatus (21 ). 

19. A method for managing security of a card-type stor- 
age medium according to claim 34, wherein a plain- 
text of the unique identifier before the encipherment 35 
is notified along with the ciphertext unique identifier 
obtained by encipherment with said first encipher- 
ment key to said transaction apparatus (21) from 
said card-type storage medium (11), the ciphertext 
unique identifier from said card-type storage 40 
medium (11) is deciphered with said first encipher- 
ment key in said transaction apparatus (21 ), a deci- 
phered text of the unique identifier obtained by deci- 
pherment is compared with the plaintext unique 
identifier from said card-type storage medium (11), ^5 
and an access process on said card-type storage 
medium (1 1 ) is proceeded if these unique identifiers 

are in agreement. 



apparatus (21 ) is deciphered with said second enci- 
pherment key, and the deciphered text unique iden- 
tifier is compared with the unique identifier gener- 
ated for said transaction. 

21. A method for managing security of a card-type stor- 
age medium according to claim 20, wherein a plain- 
text unique identifier before the encipherment is noti- 
fied along with the ciphertext unique identifier 
obtained by the encipherment with the second enci- 
pherment key to said card-type storage medium (11) 
from said transaction apparatus (21), the ciphertext 
unique identifier from said card-type storage 
medium (11) is deciphered with said second enci- 
pherment key in said card-type storage medium 

(11) , a deciphered text unique identifier obtained by 
the decipherment is compared with the plaintext 
unique identifier from said transaction apparatus 
(21 ), and if these unique identifiers are in agreement 
a process is proceeded. 

22. A method for managing security of a card-type stor- 
age medium according to claim 1 7 or 21 , wherein if 
the unique identifiers are found to be in disagree- 
ment as a result of the comparison in said card-type 
storage medium (11), an error is notified as a 
response to the access command from said trans- 
action apparatus (21). 

23. In a card-type storage medium having a storage unit 

(12) having a data area keeping a data file therein 
and a directory area keeping control information 
about the data file in said data area therein and a 
control unit (13) managing the data file in said data 
area in said storage unit ( 1 2) on the basis of the con- 
trol information in said directory area in said storage 
unit (12), the improvement comprising: 

said control unit (13) comprising: 

a unique identifier generating means 
(14) generating a unique identifier for a transaction 
when the transaction is started with an external 
apparatus (21 ) and the data file that is an object of 
an access from said external apparatus (21 ) is deter- 
mined: 

a unique identifier notifying means (15) 
notifying the unique identifier generated by said 
unique identifier generating means (14) to said 
external apparatus (21); 

a first comparing means (16) comparing 
a unique identifier given to an access command from 
said external apparatus (21) with the unique identi- 
fier generated by said unique identifier generating 
means (14) for said transaction; and 

a first judging means (17) judging that 
the access command from said external apparatus 
(21 ) is for said transaction if these unique identifiers 
are found to be in agreement as a result of compar- 
ison by said first comparing means (16) and per- 



20. A method for managing security of a card-type stor- 50 
age medium according to any one of claim 17 
through 19, wherein the unique identifier from said 
card-type storage medium (11) is enciphered with a 
second encipherment key, the ciphertext unique 
identifier is then given to the access command from S5 
said transaction apparatus (21) to said card-type 
storage medium (11 ), the ciphertext unique identifier 
given to the access command from said transaction 
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forming a process according to the access com- 
mand from said external apparatus (21 ). 

24. A card-type storage medium according to claim 23, 
wherein said control unit (13) further comprising an 5 
enciphering means enciphering the unique identifier 
generated for said transaction by said unique iden- 
tifier generating means (14) with a first encipher- 
ment key^ and said unique identifier notifying means 
(15) notifies a cipherlext unique identifier obtained 

in encipherment by said enciphering means to said 
externa! apparatus (21). 

25. A card-type storage medium according to claim 24, 
wherein said unique identifier notifying means (15) 75 
notifies the ciphertext unique identifier obtained in 
encipherment by said enciphering means along with 

a plaintext of the unique identifier before the enci- 
pherment to said external apparatus (21). 

20 

26. A card-type storage medium according to any one 
of claim 23 through 25, wherein said control unit (1 3) 
still further comprising a deciphering means deci- 
phering a ciphertext unique identifier with a second 
encipherment key if said ciphertext unique identifier 25 
obtained by encipherment with said second enci- 
pherment key is given to the access command from 
said external apparatus (21 ), and said first compar- 
ing means (16) compares a deciphered text unique 
identifier obtained in decipherment by said decipher- 30 
ing means with the unique identifier generated for 
said transaction by said unique identifier generating 
means (14). 

27. A card-type storage medium according to claim 26, 3S 
wherein said control unit (13) still further compnsing: 

a second comparing means comparing the 
deciphered text unique identifier obtained in deci- 
pherment by said deciphering means with the plain- 
text unique identifier from said external apparatus -^o 
(21) if the plaintext unique identifier is given to the 
access command from said external apparatus (21 ) 
along with the ciphertext unique identifier obtained 
by encipherment with said second encipherment 
key; and 45 

a second judging means judging that the 
access command from said external apparatus (21 ) 
is rightful if these unique identifiers are found to be 
in agreement as a result of comparison by said sec- 
ond comparing means. 50 

28. A card-type storage medium according to claim 23, 
wherein said control unit (13) still further comprising 
an error notifying means notifying an error as a 
response to the access command from said external 5S 
apparatus (21) if the unique identifiers are found to 

be in disagreement as a result of comparison by said 
first comparing means (16). 



29. The improvement in a card-type storage medium 
according to claim 27, wherein said control unit (1 3) 
still further comprising an error notifying means noti- 
fying an error as a response to the access command 
from said external apparatus (21 ) if the unique iden- 
tifiers are found to be in disagreement as a result of 
comparison by said second comparing means. 

30. A transaction apparatus for a card-type storage 
medium (11), which accesses to said card-type stor- 
age medium having a storage unit (12) keeping a 
data file therein to execute a transaction therewith 
comprising: 

a notifying means (22) notifying an access 
command given a unique identifier thereto until an 
end of a transaction, when the data file that is an 
object of the access in said card-type storage 
medium (1 1 ) is determined in said card-type storage 
medium (11) and said transaction apparatus is 
informed of said unique identifier for said transaction 
from said card-type storage medium (11). 

31. A transaction apparatus for a card-type storage 
medium according to claim 30 further comprising: 

a deciphering means deciphering a ciphertext 
of the unique identifier with a first encipherment key 
if the unique identifier from said card-type storage 
medium (11) is enciphered with said first encipher- 
ment key. 

32. A transaction apparatus for a card-type storage 
medium according to claim 31 , still further compris- 
ing: 

a comparing means comparing a deciphered 
text of the unique identifier obtained in decipherment 
by said deciphering means with a plaintext unique 
identifier from said card-type storage medium (1 1 ) if 
the plaintext unique identifier before the encipher- 
ment is notified from said card-type storage medium 
(11 ) along with said ciphertext unique identifier; and 

a judging means judging that said card-type 
storage medium (11 ) is rightful if these unique iden- 
tifiers are in agreement as a result of comparison by 
said comparing means and proceeding an access 
process on said card-type storage medium (11). 

33. A transaction apparatus for a card-type storage 
medium according to any one of claim 30 through 
32 still further comprising a enciphering means enci- 
phering the unique identifier from said card-type 
storage medium (11) with a second encipherment 
key, and said notifying means (22) giving a cipher- 
text of the unique identifier obtained in encipherment 
by said enciphering means to the access command 
and notifying it to said card-type storage medium 
(11). 

34. A transaction apparatus for a card-type storage 
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medium according to claim 33 wherein said notifying 
means (22) notifying the plaintext unique identifier 
before the encipherment along with the ciphertext 
unique identifier obtained in encipherment by said 
enciphering means to said card-type storage 5 
medium (11). 
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